IT404

Network Security
Module 09
Malicious Software

MAIN REFERENCE
• Network Security Bible, 2nd Edition, Eric Cole, Wiley, 2009.
Learning Outcomes

1 2 3 4
• To differentiate • To discuss • To describe • To elaborate on
between various nature, various worm virus, worm and
malicious classification technology and DDoS
programs countermeasures
and virus kits countermeasures
Terminology for Malicious Software
9.1 Backdoor or Trapdoor

 Secret entry point into a program

 Allows those who know access bypassing usual security procedures
 Have been commonly used by developers
 A threat when left in production programs allowing exploited by attackers
 Requires good software development & update
9.2 Logic Bomb

 one of oldest types of malicious software

 code embedded in legitimate program
 activated when specified conditions met
 Example, presence/absence of some file
 particular date/time
 particular user
 when triggered typically damage system
 modify/delete files/disks, halt machine, etc
9.3 Trojan Horse

 Program with hidden side-effects

 Which is usually superficially attractive
 Example, game, software upgrade
 Fit into one of three models:

Continuing to perform the function of the original program and additionally

performing a separate malicious activity

Continuing to perform the function of the original program but modifying

the function to perform malicious activity or to disguise other malicious
activity

Performing a malicious function that completely replaces the function of

the original program
9.4 Mobile Code

 Program/script/macro that runs unchanged

 on heterogeneous collection of platforms
 on large homogeneous collection (Windows)
 transmitted from remote system to local system & then executed on
local system
 often to inject virus, worm, or Trojan horse Java
ActiveX JavaScript VBScript
applets
 or to perform own exploits
 unauthorized data access, root compromise
9.5 Multiple-Threat Malware

 malware may operate in multiple ways

 multipartite virus infects in multiple ways
 multiple file types
 blended attack uses multiple methods of infection or transmission
 to maximize speed of contagion and severity
 may include multiple types of malware
 Nimda has worm, virus, mobile code
 can also use IM & P2P
9.6 Virus Structure
 A computer virus and many contemporary types of malware includes one or more variants of each
of these components:

Infection mechanism
The means by which a virus spreads or
Also referred to as the infection vector
propagates, enabling it to replicate

Trigger
The event or condition that determines
Sometimes known as a logic bomb
when the payload is activated or delivered

Payload
May involve damage or benign but
What the virus does, besides spreading
noticeable activity
9.7 Virus phases
 During its lifetime, a typical virus goes through the following four phases:

Dormant Propagation Triggering Execution

phase phase phase phase
9.8 Virus Classification by target

 Includes the following categories:

Boot sector Multipartite

File infector Macro virus
infector virus
Infects a master
Infects files that Infects files with
boot record or boot Infects files in
the operating macro or scripting
record and spreads multiple ways
system or shell code that is
when a system is
consider to be interpreted by an
booted from the
executable application
disk containing the
virus
9.9 Virus classification by concealment strategy
 Includes the following categories:
 Encrypted virus
 Portion of the virus creates a random encryption key and encrypts the remainder of the virus
 When an infected program is invoked, the virus uses the stored random key to decrypt the virus
 When the virus replicates, a different random key is selected
 Because the bulk of the virus is encrypted with a different key for each instance, there is no
constant bit pattern to observe
 Stealth virus
 A form of virus explicitly designed to hide itself from detection by antivirus software
 The entire virus, not just a payload is hidden
 Polymorphic virus
 A virus that mutates with every infection, making detection by the “signature” of the virus impossible
 Metamorphic virus
 Mutates with every infection
 Rewrites itself completely at each iteration, increasing the difficulty of detection
 May change their behavior as well as their appearance
9.10 Virus Countermeasures
 Best approach:-
 Detection
 Identification
 Removal
 (Step, 93) identifies 4 generations of antivirus software:-

First Second Third Fourth

generation generation generation generation

• Simple • Heuristic • Activity traps • Full-feature

scanners scanners • Memory- protection
• Scanner • Uses heuristic resident • Packages
requires a rules to programs that consisting of
malware search for identify a variety of
signature to probable malware by antivirus
identify the malware its actions techniques
malware instances rather than used in
• Integrity its structure conjunction
checking in an infected
program
9.11 Worms

 A program that actively seeks out more machines to infect

 Upon activation, the worm may replicate and propagate again

 To replicate itself, a worm uses some means to access remote systems:

 Electronic mail or instant messenger facility

 File sharing

 Remote execution capability

 Remote file access or transfer capability

 Remote login capability

9.12 Worm phases

 A worm typically uses the same phases as a computer virus:

 Dormant
 Propagation
 Triggering
 Execution
 The propagation phase generally performs the following functions:
 Search for appropriate access mechanisms to other systems
to infect by examining host tables, address books, buddy
lists, trusted peers, and other similar repositories of remote
system access details
 Use the access mechanisms found to transfer a copy of itself
to the remote system and cause the copy to be run
9.13 The Morris worm
 Released onto the Internet by Robert Morris in 1988
 Designed to spread on UNIX systems and used a number of different techniques for propagation
 When a copy began execution its first task was to discover other hosts known to this host that
would allow entry from this host
 For each discovered host, the worm tried a number of methods for gaining access:
 It attempted to log on to a remote host as a legitimate user
 It exploited a bug in the UNIX finger protocol, which reports the whereabouts of a remote user
 It exploited a trapdoor in the debug option of the remote process that receives and sends mail
9.14 Worm Technology

Ultrafast
Multiplatform Multi-exploit Polymorphic
spreading

Transport Zero-day
Metamorphic
vehicles exploit
9.15 Perimeter worm countermeasures

(Class A) Signature-based worm scan filtering

• This type of approach generates a worm signature, which is then
used to prevent worm scans from entering/leaving a network/host
(Class B) Filter-based worm containment
• This approach is similar to class A but focuses on worm content
rather than a scan signature
(Class C) Payload-classification-based worm containment
• These network-based techniques examine packets to see if they
contain a worm

Continued . . .
(Class D) Threshold random walk (TRW) scan detection
• Exploits randomness in picking designations to connect to as a way of
detecting if a scanner is in operation
(Class E) Rate limiting
• This class limits the rate of scanlike traffic from an infected host

(Class F) Rate halting

• This approach immediately blocks outgoing traffic when a threshold is
exceeded either in outgoing connection rate or in diversity of
connection attempts
9.16 Distributed Denial of Service Attacks (DDoS)

 Distributed Denial of Service (DDoS) attacks form a significant security threat

 making networked systems unavailable
 by flooding with useless traffic
 using large numbers of “zombies”
 growing sophistication of attacks
 defense technologies struggling to cope
9.17 DDoS Countermeasures

In general, there are three lines of defense against DDoS attacks:

Attack source
traceback and
Attack prevention and identification
preemption (before (during and after the
the attack) attack)

Attack detection and

filtering (during the
attack)
Summary
 Malicious software is software that is intentionally included or inserted in a system for a
harmful purpose.
 A virus is a piece of software that can “infect”other programs by modifying them.
 A worm is a program that can replicate itself and send copies from computer to
computer across network connections.
 A denial of service (DoS) attack is an attempt to prevent legitimate users of a service
from using that service.